Configuring IPsec for FIPS Mode
Configuring IPsec for Enabling Internal Communications Between Routing Engines for Junos OS in FIPS Mode
In a Junos OS in FIPS mode environment, routers with two Routing Engines must use IPsec for internal communication between the Routing Engines. You configure internal IPsec after you install the Junos OS in FIPS mode. You must be a Crypto Officer to configure internal IPsec.
You cannot configure DES-based IPsec SAs in Junos OS in FIPS mode. The internal IPsec SAs use HMAC-SHA1-96 authentication and 3DES-CBC encryption.
Manual SAs require no negotiation. All values, including the keys, are static and specified in the configuration. Manual SAs statically define the SPI values, algorithms, and keys to be used, and require matching configurations on both ends of the tunnel. Each peer must have the same configured options for communication to take place.
When the switch is in FIPS mode, you cannot use the commit synchronize command until you have established an IPsec SA on each Routing Engine.
As Crypto Officer, you configure an internal IPsec SA for communication
between Routing Engines by creating an SA on each Routing Engine with the following statements
at the [security] hierarchy level:
To configure internal IPsec, include the security-association statement at the [security] hierarchy level. You can configure parameters, such
as the direction in which the manual IPsec SAs must be applied, the SPI value that uniquely
identifies the SA to use at the receiving Routing Engine, and the IPsec key that defines the
authentication and encryption keys for the manual IPsec SA.
[ security] ipsec { internal { security-association { manual { direction (bidirectional | inbound | outbound) { protocol esp; spi spi-value; encryption { algorithm (hmac-sha1-96 | hmac-sha2-256); key (ascii-text ascii-text-string | hexadecimal hexadecimal-number); } } } } } }
Tasks for configuring internal IPsec for Junos-FIPS are the following. You can configure the direction in which the manual IPsec SAs must be applied, the SPI value that uniquely identifies the SA to use at the receiving Routing Engine, and the IPsec key that defines the authentication and encryption keys for the manual IPsec SA.
Configuring the SA Direction
To configure the IPsec SA direction in which manual SAs of the IPsec tunnels
must be applied, include the direction statement at the [security ipsec internal
security-association manual] hierarchy level:
direction (bidirectional | inbound | outbound);
The value can be one of the following:
bidirectional—Apply the same SA values in both directions between Routing Engines.inbound—Apply these SA properties only to the inbound IPsec tunnel.outbound—Apply these SA properties only to the outbound IPsec tunnel.
If you do not configure the SA to be bidirectional, you must configure SA parameters for IPsec tunnels in both the inbound and outbound directions. The following example uses an inbound and outbound IPsec tunnel:
We recommend that you do not use the IPsec keys as ASCII keys for Junos OS in FIPS mode. Instead, you must use the IPsec keys as hexadecimal keys for maximum key strength.
[security]
ipsec {
internal {
security-association {
manual {
direction inbound {
protocol esp;
spi 512;
encryption {
algorithm 3des-cbc;
key hexadecimal 309fc4be20f04e53e011b00744642d3fe66c2c7c;
}
}
direction outbound {
protocol esp;
spi 513;
encryption {
algorithm 3des-cbc;
key hexadecimal b0344c61d8db38535ca8afceaf0bf12b881dc200c9833da7;
}
}
}
}
}
}
Configuring the IPsec SPI
A security parameter index (SPI) is a 32-bit
index that identifies a security context between a pair of Routing Engines. To configure the
IPsec SPI value, include the spi statement at the [security ipsec internal
security-association manual direction] hierarchy level:
spi value;
The value must be from 256 through 16,639.
Configuring the IPsec Key
We recommend that you do not use the IPsec keys as ASCII keys for Junos OS in FIPS mode. Instead, you must use the IPsec keys as hexadecimal keys for maximum key strength.
The distribution and management of keys are critical to using VPNs successfully.
You must configure the ASCII text key values for authentication and encryption. To configure
the ASCII text key, include the key statement at the [security ipsec internal
security-association manual direction encryption] hierarchy level:
key (ascii-text ascii-text-string | hexadecimal hexadecimal-string);
For this type of SA, both keys must be preshared hexadecimal values, and each requires a specific cryptographic algorithm:
Authentication algorithm
HMAC-SHA1-96 (40 characters)
HMAC-SHA2-256 (64 characters)
Encryption algorithm
3DES-CBC (48 characters)
You must enter the key hexadecimal value twice and the strings entered must match, or the key will not be set. The hexadecimal key is never displayed in plain text. We recommend that you use the IPsec keys as hexadecimal keys for maximum key strength and not as ASCII keys for Junos OS in FIPS mode.
Example: Configuring Internal IPsec
Configure a bidirectional IPsec SA with an SPI value of 512 and a key value conforming to the FIPS 140-2 rules:
[edit security]
ipsec {
internal {
security-association {
manual {
direction bidirectional {
protocol esp;
spi 512;
encryption {
algorithm 3des-cbc;
key ascii-text “$ABC123”;
}
}
}
}
}
}